Password hashing and password salting are methods used to keep login details safe from hackers. These techniques are useful for protecting sensitive data of all kinds, including passwords. In this article, we’ll explain how password hashing and salting works, what the differences are between them, and how they compare to encryption as a security measure.
Password hashing is a process in which algorithms turn plaintext passwords into complex strings of numbers and letters, known as ciphertext. If you run a plaintext password (or any word or phrase) through a hashing algorithm, it produces a unique string of characters, sometimes referred to as a hashed value. The length of this hashed password can vary depending on the kind of algorithm that you use to produce it.
The hash may look to an observer like a random collection of numbers and letters, but it is created as a direct response to the plaintext input, so if you put the same text into the algorithm twice, you’ll get the same hash as a result. Here is an example of what a hashing process might look like (in this example, the plaintext password is “xty3l6bqr8”):
Hash (“xty3l6bqr8”) = 4n3920q25699841r05h5hg8h9w33nvlhg39501
A website can store user password hashes instead of plaintext data. When a user tries to log in, the algorithm generates the appropriate password hash. If it matches the hash in the website’s records, the user can access their account. However, if the website’s databases are hacked, all the hackers will get are the hashes, not the passwords themselves.
Unlike encrypted data, hashed data cannot be unhashed; the hashing process is irreversible, thanks to the algorithms used.
Many different password hashing algorithms, or hash functions, are available. Here are just a few of the most commonly used options:
Salting a password is a simple process in which a plaintext password is combined with a random collection of numbers and letters.
Let’s imagine that you need to create a password to set up your account on a website. You make your password “xty3l6bqr8,” a suitably random collection of characters, and input it. The website now initiates the salting process, adding a string of new random characters to the original password. For this example, we’ll say that the salting adds the following characters: “rsl41gjkal.”
Now, if a hacker breaks into the website’s database, they’ll find your password saved as “xty3l6bqr8rsl41gjkal” and won’t have any way of knowing where your password ends and the random extra characters begin. Your password has been salted.
To make salting even more secure, however, it should be combined with hashing.
Salting and hashing work well in tandem. Even though hashes can’t be directly reversed, hackers can technically reverse engineer a hash and make relatively accurate guesses at what the original input was. With access to a website’s hashes and a little time, they might still be able to figure out a user’s plaintext password.
This type of situation is where password salting can be helpful. Salting a hashed password involves adding randomized numbers and letters to the plaintext password before it is hashed. Here is a representation of this process:
Hash (“xty3l6bqr8 + “rsl41gjkal”) = 4n3920q25699841r05h5hg8h9w33nvlhg39501
A stored hash should always be salted for maximum security. If a hacker steals some hashed passwords and reverse engineers them, they end up with a salted password, not the password itself. Of course, a hacker could still target an individual user with a brute force attack, but that’s unlikely to work if the user has created a complex password, like “xty3l6bqr8.”
Encryption, or cryptography, is another security measure that is sometimes confused with hashing and salting. Let’s take a moment to clarify how these three security measures differ.
Encryption is the process of scrambling a piece of data, like a password, into a mass of incomprehensible characters. However, if you have the encryption key (a numerical code generated by the encryption protocol used) you can decrypt the data, turning it back into plaintext.
In contrast, hashing cannot be reversed — it is essentially a form of one-way encryption. Salting is different, again, because it doesn’t involve converting the original plaintext but simply complicates the text with additional characters.
It’s worth remembering that encryption vs. hashing isn’t the right way to think about it. These security measures are not mutually exclusive and should really be combined.
Hashing and salting are essential security measures for password storage. Storing passwords in plaintext is incredibly risky because it means a data breach could potentially compromise all user accounts.
Data breaches are a constant threat for businesses and organizations of all sizes. Preventing hacks and data leaks is important, but if they occur, it is vital that any passwords stored within the breached organization are hashed and salted.
Of course, proactive steps should be taken so that hashes never fall into the wrong hands in the first place. That’s why many organizations now use VPN services, like NordVPN, to encrypt their online activity. With employees increasingly working from outside their offices, being able to protect each individual device on a company network has never been more important.
NordVPN can keep data safe while in transit, even if the user is connecting to unsecure Wi-Fi. The VPN service also comes with Threat Protection, a powerful suite of tools that lower the threat of malware infection. If a company protects customer passwords with salting and hashing and encrypts their own networks with services like NordVPN, their overall security will be far stronger.